You can either share data so that the two entities are common controllers, or each of you is an independent controller (or data controller at data processing, although this is not taken into account in this article). The distinction between a common and an independent manager must be seen here: companies will be jointly responsible for the processing of personal data processed in the context of the draw, since they will both have decided on the purpose and means of processing. A real estate management company manages university residences for the owner, the university. The company enters into lease agreements with students on behalf of the university and chases all rent arrears. She collects the rent and hands it to the university after a commission. To buy your RGPD compliance package, go to /www.suzannedibble.com/gdprpack and if you haven`t yet joined my RGPD Facebook group, in which 35k organizations from around the world discuss RGPD compliance, you can join here. Although Article 26 of the RGPD requires agreement between common treatment officials, it does not require a written agreement between joint treatment officials, but a written agreement attesting to the agreement is a proven method and helps to demonstrate accountability. An assessment of legitimate interests is a three-step test to determine whether you really have a legitimate interest in processing, the need for treatment to achieve your legitimate interest and whether the rights and freedoms of the individuals concerned outweigh your interest, in which case you could not invoke the legitimate interests of the treatment and you should obtain the consent of the persons concerned. A legitimate interest assessment form is in my RGPD compliance package, you can access www.suzannedibble.com/gdprpack 22.214.171.124 to transfer personal data from the company from a contract subcontractor to a subcontractor or between two branches of a contract processor, in any case, where such a transfer is accepted by data protection legislation (or by the terms of data transfer agreements put in place to deal with confidentiality restrictions for data transfer, including the Data Protection Act); Article 26 of the RGPD stipulates that joint treatment managers “transparently” define their respective responsibilities for compliance, including the provision of information to the persons concerned and the exercise of the rights of the person concerned. An exception is made where EU law or the national law of an EU member state defines the respective powers. Accurate evaluation of data transfer to a processor, common controller or other independent controller is essential, as the type of agreement you need to make varies depending on the nature of the other party. If in doubt, seek legal advice.
Although it is not legally necessary to reach a common agreement on the common distribution of data, it would be wise to include these elements also for co-responsible: this data processing agreement is adapted by the ProtonMail DPA, which is on this page. Organizations can use the following document as part of their compliance with the RGPD. Article 26 also states that the core of the agreement must be made available to the persons concerned (probably in the data protection instructions) and that a point of contact may be designated for those concerned.